Mediatype for SPDX should be application/spdx+json

sigstore / cosign

Code signing and transparency for containers and binaries

Apache License 2.0

4.23k stars 506 forks source link

Mediatype for SPDX should be application/spdx+json #3515

Open lumjjb opened 5 months ago

lumjjb commented 5 months ago

Description

According to IANA registered, the mediatype for spdx JSON documents should be application/spdx+json

Currently, it is set to "text/spdx+json" in

Version

head

viveksahu26 commented 5 months ago

Yes, media type for spdx is text whereas, the media type for spdx+json is application,

viveksahu26 commented 5 months ago

WDYT @haydentherapper ?

haydentherapper commented 5 months ago

Seems correct, just want to avoid any breaking changes on the verification path.

viveksahu26 commented 4 months ago

No it will not affect verification. Currently we have 2 way to add SBOM, one is cosign attach sbom(it doesn't sign) and cosign attest --type sbom(it sign sbom). On changing media type will only have to do with attach one not with attest one. And for verification process, the attest has a way for verification but not for attach one.

@haydentherapper , One thing I wanted to ask, basically cosign attach sbom will be depreciated on 22/02/2024, so, will change makes sense or not ?

haydentherapper commented 4 months ago

We don't need to continue to support anything that's been deprecated.

viveksahu26 commented 4 months ago

Ok, let's close it.